Reg Flags are Coming! Red Flags are Coming!

Enforcement of the “Red Flag Rules” starts May, 1^st 2009. The Red Flag Rules specifies that “financial institutions and creditors” protect an individual’s personal information from identity theft by raising a “red flag”. The companies must establish policies and procedures to recognize, detect, and respond to an identity theft attack. However, the scope of who has to comply may be larger than originally thought.

 The Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) have issued regulations (the Red Flags Rules) as part of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. But when one also adds in Gramm-Leach-Bliley Act (GLBA) where this law recently redefined what constitutes as a financial institution, more businesses are affected. According to GLBA:

 ”Financial institutions” which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities.  

 Therefore, health care providers, real estate agents, accountants, book keepers, retail stores, utilities, car dealerships, schools, etc. all fall under GLBA which intern tie to FACTA, that institutes the Red Flag Rules.

 When a data breach of either paper or electronic information occurs, all customers, patients, employees and/or vendors must be notified. A breach does not only mean when a thief or hacker breaks in, but improper disposal of sensitive documents, lost computers or storage devices with unencrypted data, dishonest employee, open posting of passwords, etc. Statistics show that careless employees’ actions account for the majority of the incidents that data thieves rely on to collect sensitive information.

 The Red Flag Rules give very little information to companies as to what policies and procedures should be put in place. Rather the FTC states that “the Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.” Typical government uselessness.

 So here are some tips:

1. Protect the building: ID badges, access control, CCTV, locked file cabinets, limited access to incoming faxes, etc.
2. Protect the employees: Security training and awareness, clean desk policy, shredding of papers, email security, etc.
3. Protect PC and Computers: Anti-virus software, data encryption, password managers, etc.
4. Network Protection: Firewalls, VPNs, monitoring, password policies, limited web access, file access monitoring programs, etc.

 With the complexity and the cross-integration required to develop a security policy, it is best to bring in security consultants and experts to work closely with your exiting CSO, CIO and IT managers. The security consultants are not there to replace anyone but rather to be a valuable tool to prevent a breach that now costs a company about $6.6 million per incident (source: Ponemon Institute ).